From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 32337 invoked from network); 27 Nov 2023 01:29:39 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 27 Nov 2023 01:29:39 -0000 Received: from dpmailmta01.doteasy.com ([65.61.218.1]) by 9front; Sun Nov 26 20:26:49 -0500 2023 X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=192.168.101.81; Received: from dpmailrp01.doteasy.com (unverified [192.168.101.81]) by dpmailmta01.doteasy.com (DEO) with ESMTP id 119529614-1394429 for <9front@9front.org>; Sun, 26 Nov 2023 17:26:42 -0800 Return-Path: Received: from dpmail01.doteasy.com (dpmail01.doteasy.com [192.168.101.1]) by dpmailrp01.doteasy.com (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTP id 3AR1QfpQ026868 for <9front@9front.org>; Sun, 26 Nov 2023 17:26:41 -0800 X-SmarterMail-Authenticated-As: fde101@fjrhome.net Received: from [192.168.1.95] (pool-173-67-134-57.hrbgpa.fios.verizon.net [173.67.134.57]) by dpmail01.doteasy.com with SMTP (version=Tls12 cipher=Aes256 bits=256); Sun, 26 Nov 2023 17:26:22 -0800 Message-ID: Date: Sun, 26 Nov 2023 20:26:16 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: 9front@9front.org References: <7B7270387AB3072AE5507DD342C3F31A@eigenstate.org> From: "Frank D. Engel, Jr." In-Reply-To: <7B7270387AB3072AE5507DD342C3F31A@eigenstate.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Exim-Id: f6c2229d-3df9-42b9-95e6-1df565425522 X-Bayes-Prob: 0.0001 (Score 0, tokens from: base:default, @@RPTN) X-CanIt-Geo: No geolocation information available for 192.168.101.1 X-CanItPRO-Stream: base:default X-Canit-Stats-ID: 01bfdqF4g - d2b6596e3704 - 20231126 X-Scanned-By: CanIt (www . roaringpenguin . com) on 192.168.101.81 X-Originating-IP: 192.168.101.81 List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: structured cloud browser singleton Subject: Re: [9front] auth/rsagen: bump bits to 4096 Reply-To: 9front@9front.org Precedence: bulk This is the recommendation from NIST: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf A 2048-bit RSA key has a "security strength" of 112 bits (page 54). NIST considers encryption with a security strength of 112 bits to be acceptable protection through 2030 but not beyond that (page 59). See also: https://www.gradenegger.eu/en/which-key-sizes-should-be-used-for-certification-bodies-and-certificates/ That document indicates that a German government security organization considers less than 3000 bits with RSA to be unacceptable even now. Of course, RSA is known to be vulnerable to an algorithm which could be implemented on a sufficiently large quantum computer; while such a computer is currently believed to be over a decade away, there have been known cases of full encrypted exchanges being captured and stored for longer periods of time than that to be decrypted after the technology improves to be able to crack the data.  Depending on the sensitivity of the information, this could be a factor for some. There are groups making various efforts to develop new algorithms designed to be safe against quantum computers: https://en.wikipedia.org/wiki/Post-quantum_cryptography On 11/26/23 19:42, ori@eigenstate.org wrote: > Quoth Frank D. Engel, Jr. : >> Presumably 2048-bit RSA is good until 2030 - but that is less than 7 >> years away and keys created today may still be in use long past that time. > This is getting closer to a useful description of why, > but can you explain *how* you concluded that these keys > are good until 2030? > > >